VIRUS-L Digest Friday, 29 Sep 1989 Volume 2 : Issue 207 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: Tiger Team comments DATACRIME II INFO (PC) Tiger teams attempting to penetrate corporate machines at night New virus on a PC ?? Virus detector program (PC) Re: Anti-viral hard disk controllers Re: Review of NIST anti-virus paper... When is a virus not a virus? Cascade in Sargon III (PC) ViruScan Length (PC) Oct 13 PC virus question FixCrime.arc (PC) --------------------------------------------------------------------------- Date: Thu, 28 Sep 89 07:41:32 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: Re: Tiger Team comments In Virus-L #205, Steve and had some good comments about my Tiger Team suggestion. Here are some answers to their comments: RE: Most viruses are not spread by someone sneaking in at night... Absolutely true. The objective of this proposal would be to ensure that users are following a published anti-virus strategy, beyond simply backing up the data. If the user targeted by the Tiger Team is following the procedures properly, then the virus should not be able to get in. For instance, say the policy reads "All Macintosh computers shall run Gatekeeper". Gatekeeper is very effective at stopping nVir. If the Tiger Team attempts to infect a Mac with nVir, and the attempt fails, the user of the system is not properly following the established procedure. RE: What corporation is willing to take the risk of letting someone *tamper* with the computers which the company depends upon, especially when proper operating procedures will offer you very good protection? Good question. I would hope any company worth its salt. The objective of the "Tiger Teams" is to help ensure the corporate anti-virus policy is being adhered to. "Proper operating procedures" per se do not prevent an infection, *following* those procedures do. RE: Can you guarantee that the "Team" will not do damage?... In order for this proposal to be effective, the TT must do a complete backup of the system's data before proceding (I suspect an image backup would be preferred in this instance), and a restore afterward, regardless of whether the team succeeds or fails. RE: If they are introducing live viruses, ... no one can guarantee the virus will be benign in all situations... I have a problem with this suggestion. Viruses (even nasty ones) such as nVIR, (c) Brain, Lehigh, and so on are well understood. If I start with a "known" strain of one of these (and there are libraries out there of unmodified versions of these and other viruses), I know exactly how a virus will behave under any set of conditions. Please also remember that I proposed using a "neutered" version of a virus. Using (c) Brain as an example, if the logic-bomb or time-bomb is removed from it, leaving only the infector, it's hard to say that such a neutered virus proposes a serious threat to a user when used by a TT to check for the use of anti-virus procedures. RE: If the tiger team fails to exterminate ALL copies of the virus there is the possibility of virus parinoia (sic), files that grow in size for no good reason, and the possibility of lost data thru virus malfunctions. See my earlier comment about backups and neutered versions. RE: The virus would be released in a unsuspecting work area. The presence of strangers insisting on checking every disk that leaves the area would cause chaos. As described above, the virus would not be released in an unsuspecting work area. Tiger Teams are used as a method to test the effectiveness of a given policy. If the users within a given work area are not following an established anti-virus policy (it is taken as a given the suggestion of TT is only valid where such a policy exists, for the exact reason you point out) then they are at risk for a virus infection, and poss a risk for other computing resources (oops! Poss = pose). RE: "Controlled" environment Such environments are possible. They are routinely used for the handling of classified materials for example. Again, the effectiveness of the controls directly depends on how well you adhere to them. ------------------------------ Date: 28 Sep 89 23:03:57 +0000 From: edvvie!eliza!andreas@relay.EU.net (Andreas Brandl) Subject: DATACRIME II INFO (PC) Hello out there, a few days ago I read a article about the DATACRIME- virus and how I can find it with search-strings. Yesterday I read in an info-paper from a very, very, very big corporation about them. This paper tells about three versions of DATACRIME. The first two versions only infect COM-files. Their functions are identical, only their increase-sizes are different. One increases the file size by 1168 bytes, and the other by 1280 bytes. DATACRIME II virus is the third version and infects COM and EXE files. In this version COM files grow by 1514 bytes and EXE by a similar, but variable, size. I possibly know the search-string for the third version. But I can give no warranty, that my info is absolut right. The search-string is like the following: 5E81EE030183FE00742A2E8A9403018DBC2901. I hope this is a little help to locate and destroy this virus. Bye bye, Andreas - -- ------------------------------------------------------------------ EDV Ges.m.b.H Vienna Andreas Brandl Hofmuehlgasse 3 - 5 USENET: andreas@edvvie.at A-1060 Vienna, Austria/Europe Tel: (0043) (222) 59907 (8-16 CET) ------------------------------ Date: 28 Sep 89 13:27:06 +0000 From: cpsolv!rhg@uunet.UU.NET (Richard H. Gumpertz) Subject: Tiger teams attempting to penetrate corporate machines at night Why should such a "tiger team" work under cover of dark? Why not "surprise inspections"? "We're from virus security and we're here to help you ..." - -- ========================================================================== | Richard H. Gumpertz rhg@cpsolv.UUCP -or- ...uunet!amgraf!cpsolv!rhg | | Computer Problem Solving, 8905 Mohawk Lane, Leawood, Kansas 66206-1749 | ========================================================================== ------------------------------ Date: 28 Sep 89 20:57:36 +0000 From: cosc75a@uhnix1.uh.edu (Parameshwaran Krishnan) Subject: New virus on a PC ?? Hi, I am working in the College Of Business Admn, of the Univ of Houston. And I am in the RICS Deptt. I manage Novell Networks there. Today there was a report of a virus in a floppy disk. I am listing down its features any body who would have seen it before please inform me 1. how destructive it can be . 2. How can it be disinfected. Features : 1. It seemingly attaches to an exe file. When u try to execute the file it says that the very same file was not found (??). and asks for a path (in this specific instance it was a Wordperfect file. If u executed wp, it said wp.exe not found Please give a path likd c:\wp\wp.exe. I have a feeling that it does this to infect the harddisk too). If the path is given then it goes bonkers. 2. In this case it created a hidden file called Wordperf.cet. It also screws some exe files on the hard disk It took up 660Bytes extra and wrote the wp.exe back again on the disk. I think this might be the virus code. If u want any other feedback please e-mail me and i will send it to u. Thanks in advance, P Krishnan (cosc75a@uhnix1.uh.edu) (create a virus free computer world) ------------------------------ Date: Thu, 28 Sep 89 13:48:53 -0400 From: unhd!stm@uunet.UU.NET (Steven T Mcclure) Subject: Virus detector program (PC) I would be very interested in seeing this program posted, as I don't know much at all about viruses. I have an AT&T PC6300 with MS-DOS 3.0 with a HD, and would like to be able to find out if I have any viruses currently, and would also like to be told if a new one is being introduced into the system. I don't have ftp access, so I would rather see it posted to c.b.i.p, and there are probably other people who know about as much as I do who would be interested also, but aren't news/ftp/bbs wizards. Thanks. -- Steve ------------------------------ Date: Thu, 28 Sep 89 21:02:15 +0000 From: time@oxtrap.oxtrap (Tim Endres) Subject: Re: Anti-viral hard disk controllers Virus infection is not *spread* via hard disks. Floppies and modems are the *movement* medium. I am not sure what advantage this read only hard disk has over simply monitoring the checksum of an application. More importantly, not all computer systems have "read-only" executables. Most notably, the Macintosh stores code in the resource fork of an application, which is *frequently* modified. The move to distributed execution from file servers is slowly changing this, but it remains an issue. We have a program, that once run against an executable, makes it IMPOSSIBLE for a virus to infect that application and be executed. Infection is still possible, but the application will never execute again, thus stopping propogation. This is simply a check sum of the executable set up in a way to inhibit execution once infection has occurred. The use of a quick key word entered by the user at run time prevents the virus from "intelligently" by-passing the check sum. This solves only one facet of the problem, but a large facet it be. ------------------------------ Date: Thu, 28 Sep 89 21:07:32 +0000 From: time@oxtrap.oxtrap (Tim Endres) Subject: Re: Review of NIST anti-virus paper... > Discussion of the NIST virus paper... The paper forwards the myth that programs obtained from public sources (bulletin boards; public network libraries) are inheritely tainted, and that shareware/freeware/etc. should really be avoided. By the same token, the paper forwards the myth that commercially obtained applications are inheritly untainted. Sounds like the committee was seated with commercial software vendors! ------------------------------ Date: 28 Sep 89 20:38:05 +0000 From: mrsvr!gemed.mrisi!davej@csd4.csd.uwm.edu (David Johnson) Subject: When is a virus not a virus? The following article copied without permission from the Milwaukee Sentinel, Thursday, September 28, 1988 to promote discussion on the ethics involved, legal implications (especially if Lab Force didn't answer their phone on a Saturday :-)), etc. I have no interest nor association with any of the parties mentioned in the article below; I just thought it would provide some interesting beginnings for discussion. I'm especially interested in hearing about "good faith" legal ramifications of the software described below. === BEGIN ARTICLE "FIRM SAYS 'VIRUS' ENSURES PAYMENT" By Mike Mulvey Sentinel staff writer The "viruses" that allegedly infected a computer system serving three Milwaukee-area hospitals were actually fail-safe devices installed by the manufacturer to ensure payment on the system, the company's president said Wednesday. Robert C. Lewis, president of Lab Force Inc. in Dallas, Texas, vehemently denied allegations that his company intentionally introduced viruses to sabotage the computer network that provided laboratory test results. "The allegations are totally without merit," Lewis said. "It is insane." "We have not and never will cause a virus to disrupt a computer system." Federal Judge John W. Reynolds issued a temporary restraining order Tuesday barring the Dallas company from introducing any more alleged viruses into the computer system. The computer network run by Franciscan Shared Laboratory Inc. services St. Michael and St. Joseph's Hospitals in Milwaukee and Elmbrook Memorial Hospital in Brookfield. Franciscan, of 11020 W. Plank Ct., Wauwatosa, file a lawsuit Tuesday in Federal Court, alleging Lab Force introduced a computer virus that disabled the system Sept. 16 and another virus scheduled to be activated Nov. 15. The suite alleged actions by Lab Force were endangering the lives of patients at the three hospitals. A hearing on the case is scheduled for Oct. 6 in Federal Court "We will let the evidence speak for itself. We've done what we believe is in the beset interest of our client and its patients," said attorney John Busch, who is representing Franciscan. "Lewis may deny allegations of sabotage, but he doesn't deny the fact that the system was down." Lewis said the system began operation in April 1988, although Lab Force still is adding to the network. He said the system always had had a "key," a device that locks out the user if a payment schedule isn't kept or a licensing agreement isn't honored. Although Franciscan had been making its payments on time, the key that originally was set to shut down the system Sept. 16 was not rescheduled for a later date because of a mistake by a Lab Force technician, Lewis said. When the technician was notified that the computer system shut down Sept. 16, he immediately corrected the problem by rescheduling the key for Nov. 15, said Jerry Levine, a consultant for Lab Force. "It was a mistake. Our operator screwed up. There has never been a virus in there. There has only been a simple key." "Keys are commonly used by hundreds, if not thousands, of software companies," Levine said. "Until software is accepted and paid for, the only protection a software company has against the equipment being stolen is to place a key in the system." Lewis said Lab Force was considering filing a countersuit against Franciscan for damage done to the Dallas company's reputation. === END ARTICLE - -- David J. Johnson - Computer People Unlimited, Inc. @ GE Medical Systems gemed!python!davej@crd.ge.com - OR - sun!sunbird!gemed!python!davej "What a terrible thing it is to lose one's mind." - Dan Quayle ------------------------------ Date: Thu, 28 Sep 89 12:30:50 +0000 From: Fridrik Skulason Subject: Cascade in Sargon III (PC) I just received a report of a shrink-wrapped and write-protected copy of Sargon III arriving infected with the cascade (1704-A) virus. The store selling the program did not have any more copies, but since they do not allow the return of games, the disk must have been infected outside of Iceland. Has anybody else seen found an infected original of this program ? --- frisk ------------------------------ Date: Thu, 28 Sep 89 07:19:19 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: ViruScan Length (PC) John McAfee asked me to forward the following message: My apologies to the VIRUSCAN user community about my premature announcement some months back that VIRUSCAN would always remain 34400 bytes long. I am old enough to have known better. Architectural changes brought about by newer viruses have necessitated a changing size for some versions. Version 39 in particular, has been virtually re-written to double its speed, link with the SHEZ program to scan archived files and provide an individual file scan if requested. Such changes can't be squeezed into the original 34400 bytes. I accept the title of idiot from anyone who wishes to confer it on me. Future versions of SCAN will contain the file size in the documentation, and sizes will be appropriately advertised. John McAfee ------------------------------ Date: Thu, 28 Sep 89 14:48:00 -0600 From: Frank Simmons Subject: Oct 13 PC virus question I am the editor of our Computer center newsletter. I want to include an article in our early October issue about this Oct 13 virus. Has anyone any concrete facts about this I can relate and secondly what hope/vaccines can I offer my readership? Frank Simmons ------------------------------ Date: Thu, 28 Sep 89 18:47:36 -0500 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: FixCrime.arc (PC) New anti-viral, sent directly to me by the author. fixcrime.arc Will fix files infected by DataCrime virus. Operates only on .COM files, not .EXE. Has programs to combat three different strains of DataCrime. *Use with caution!* FIXCRIME.ARC Removes infections of DataCrime virus Jim ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253